Configuring OpenVPN to authenticate with FreeRADIUS part 1

freeradius openvpn icon

Hi there people, I know it’s been long that I have posted anything here on my blog but believe me I was pretty busy with work (I currently am as well), nonetheless, I had few hours to myself. So I thought of putting this quick tutorial here. Again, the following method of configuring FreeRadius to authenticate your network users is fully tested by me on CentOS 6.5. This should work for previous versions of the the operating system as well. So, let’s dive in!

This is going to be a long tutorial, so bear with me as there are three main parts we have to work upon to get this setup.

1. Configure OpenVPN on a machine. You may do so using the this guide.

2. Configure FreeRadius on the same machine or a different machine (if you have spare one).

3. Bind OpenVPN and FreeRadius using a plugin so that the VPN users should be authenticated using FreeRadius database.

Configuring FreeRadius:

In this part, I will show you how to configure Free Radius on a CentOS 6.5 machine. So, let’s start.

1. First, lets install the packages which we need in order to make this setup work.

yum install freeradius freeradius-mysql freeradius-utils mysql-server mysql php-mysql php

NOTE: php is not required if you do not want to install a web management interface for managing the users/groups and other stuff.

2. Start the MySQL service and make sure it runs everytime the system boots:

/etc/init.d/mysqld start
chkconfig mysqld on

3. Setup the ‘root’ user password for MySQL by running a script which is provided by the MySQL installation as:

/usr/bin/mysql_secure_installation  #follow the on-screen instructions to get you going for the first time.

4. Next we need to create the radius database. So log into the MySQL server using command line utility as:

mysql -u root -p

5. Create the database and name it ‘radius’ (without the quotes):

mysql> CREATE DATABASE radius;
mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "rad-password";
mysql> flush privileges;
mysql> exit

6. It’s time to populate the database that we created in last step with a supplied schema as:

mysql -uradius -p radius < /etc/raddb/sql/mysql/schema.sql

7. Next we will fill/edit the details of our radius database in the configuration file. Edit the file: ‘/etc/raddb/sql.conf’ and look for the ‘server’ section. Add/edit the details of your database there as:

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "rad-password"
radius_db = "radius"

8. Open the file ‘/etc/raddb/radiusd.conf’, find and uncomment the following:

$INCLUDE sql.conf

9. After that, edit ‘/etc/raddb/sites-available/default’ and uncomment the line containing ‘sql’ under the ‘authorize {}’ section and line  ‘sql’ under the accounting {} section, also uncomment ‘sql’ under session{}.

For the convenience of the readers of this blog, I have remove the extra stuff from the above mentioned file and you may download that file from:

https://techlinux.net/default.txt

After you have this file with you, just rename the original file to something else and place this downloaded files (rename to ‘default’) of course.

10. Next, edit ‘/etc/raddb/sites-available/inner-tunnel’ and uncomment the lines containing ‘sql’ under authorize {} and under session {}.

For the convenience of the readers of this blog, I have remove the extra stuff from the above mentioned file and you may download that file from:

https://techlinux.net/inner-tunnel.txt

11. Edit the clients.conf file which is present at: ‘/etc/raddb/clients.conf’ and add a client profile. Now, here is somewhat tricky part in the context that most people (including me) get confused at this point. I wondered which client do I need to give the IP address of in this file.

Clients that you will mentioned here are actually the other services (such as openvpn server or any other server/service that wants to use the free radius service for authenticating users.

client IP_OF_THE_SERVER {
secret = shared_secret
nastype = other
}

In the above code, ‘IP_OF_THE_SERVER’ refers to the IP of server where openVPN is listening for the requests. You may leave this field empty for now.

12. Last but not least, restart the free radius service as:

/etc/init.d/radiusd restart

If you encounter any problems, you can run FreeRadius in debug mode to find any authentication issues. To run FreeRadius in debug mode execute:

radiusd -X or radiusd -XX (for increased verbosity)

Configuring web management tool for Free Radius – daloRADIUS:

As you all have been known to the fact that Free Radius uses MySQL database to store username and passwords. Daloradius is a good choice here as a web management tool for managing users and groups which otherwise, we would need to setup by hand at the MySQL console. Installation daloRADIUS is pretty straight forward and you should be up and running in no time.

1. Download daloRADIUS installation files from sourceforge followed by extracting them and import some tables, then we will make this daloRADIUS directory available which can be accessed via web browser.

cd /tmp/
wget http://sourceforge.net/projects/daloradius/files/latest/download?source=files
tar zxvf daloradius-0.9-9.tar.gz
mysql -uradius -p radius < daloradius-0.9-9/contrib/db/fr2-mysql-daloradius-and-freeradius.sql

2. Next, we will make some changes in the configuration file of daloRADIUS as:

vim daloradius-0.9-9/library/daloradius.conf.php

configValues['DALORADIUS_VERSION'] = '0.9-9';
$configValues['FREERADIUS_VERSION'] = '2';
$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'rad-password';
$configValues['CONFIG_DB_NAME'] = 'radius';

mv daloradius-0.9-9 /var/www/html/daloradius

3. Point your browser at: ‘http://your-servers-ip-address/daloradius’ and VOILA!

To log into the panel, you need to use the username and password as:

Username administrator
Password radius

You can find part 2 of this tutorial by clicking on the link below:
Click me for part 2

And please note, your comments and suggestions are always welcome.

Have Fun!

3 thoughts on “Configuring OpenVPN to authenticate with FreeRADIUS part 1

  1. Hello Aman

    Thanks for the tutorial. I couldn’t find the radius plugin configuration part. I used a radius plugin but unable to authenticate openvpn users via my radius server. Could you please help?

Leave a Reply

Your email address will not be published. Required fields are marked *